Skip to main content
Warning

Migrations are coming to VA GitHub. See the Migrations section for more information.

Separate Duties at the VA

Separate duties at the VA covers situations where team members need to review packages/releases/tagged items without seeing source code.

Some teams at the VA might have processes that require a separation of duties, where users can pull down releases and associated files, but should not be able to view or manipulate the original source code either remotely or locally. To meet this requirement, the project being audited will need two repositories: one for the project source code and another for the releases themselves.

Separate duties at the VA

To assist with the management of projects requiring separation of duties, we suggest following these measures to ensure ease of use:

  • Duty-based teams appended with -devs, -auditors, and -admins
    • -devs teams will have write access to both the source code and distributions repositories
    • -auditors teams will have read access to the distributions repositories
    • -admins teams will have admin access to both the source code and distributions repositories
      • This team is responsible for repository settings
  • Project repository naming conventions
    • Create the source code repository and name as appropriate and set to private
      • Assign -devs team to have write access
      • Assign -admins team to have admin access
    • Create the release-only with the same name as the source code repository, but append -dist (example: pharmx and pharmx-dist)
      • Assign -devs team to have write access
      • Assign -auditors team to have read access
      • Assign -admins team to have admin access
  • README.md additions
    • README.md files should contain the related repository information (example: Source code: (link to repo) or Distributions: (link to -dist repo))
    • Team information for each duty (example: pharmx-devs and pharmx-auditors

Return to Guides